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£Sj ■ Abstract. Lossy trapdoor functions, introduced by Peikert and Waters (STOC'08), have received a 

lot of attention in the last years, because of their wide range of applications in theoretical cryptography. 
The notion has been recently extended to the identity-based scenario by Bellare et al. (Eurocrypt'12). 
We provide one more step in this direction, by considering the notion of hierarchical identity-based 
lossy trapdoor functions (HIB-LTDFs) . Hierarchical identity-based cryptography generalizes identity- 
. based cryptography in the sense that identities are organized in a hierarchical way; a parent identity 

has more power than its descendants, because it can generate valid secret keys for them. Hierarchical 
identity-based cryptography has been proved very useful both for practical applications and to establish 
theoretical relations with other cryptographic primitives. 

In order to realize HIB-LTDFs, we first build a weakly secure hierarchical predicate encryption scheme. 
^3 , This scheme, which may be of independent interest, is then used as a key ingredient to design a HIB- 

O ■ LTDF. By appropriately choosing parameters, the resulting function can be proved secure against either 

selective or adaptive adversaries although the underlying predicate encryption system is only selectively 
secure. Combining this new function with well-known results in the area, we notably obtain hierarchical 
identity-based encryption schemes and forward- secure cryptosystems that are deterministic or maintain 
\jQ ' some security when messages are encrypted using randomness of poor quality. 

in" 

00; 

! 1 Introduction 

(Identity-Based) Lossy Trapdoor Functions. Lossy trapdoor functions, as introduced by 
Peikert and Waters in [25] . have been proved very powerful in theoretical cryptography and re- 
ceived a lot of attention in the recent years (see, e.g., |16|19|23|11|20|29] ). Roughly speaking, a 
lossy trapdoor function is a family of functions that can be instantiated in two different modes. In 
the injective mode, the function is injective and can be inverted using the corresponding trapdoor. 
In lossy mode, the function is (highly) non-injective since its image size is much smaller than the 
size of the domain. The key point is that lossy instantiations of the function must be indistinguish- 
able from injective instantiations. 

In their seminal paper [25], Peikers and Waters showed that lossy trapdoor functions provide 
black-box constructions of chosen-plaintext secure (IND-CPA) and chosen-ciphertext secure (IND- 
CCA) public-key encryption schemes, universal one-way and collision-resistant hash functions. Later 
on, other applications of lossy trapdoor functions were discovered: they gave rise to deterministic 
encryption schemes [I] in the standard model [8], public- key encryption hedged schemes maintain- 
ing some security in the absence of reliable encryption coins [5] and even public key encryption 
with selective-opening security [5] (i.e., which offer certain security guarantees in case of sender 
corruption) . 

Very recently, Bellare, Kiltz, Peikert and Waters [7] introduced the notion of identity-based lossy 
trapdoor function, which is the analogue of lossy trapdoor functions in the setting of identity-based 



cryptography [28]. In the identity-based scenario, users' public keys are directly derived from their 
identities, whereas secret keys are delivered by a trusted master entity. In this way, the need for 
digital certificates, which usually bind public keys to users in traditional public-key cryptography, 
is drastically reduced. Moreover, identity-based lossy trapdoor functions (IB-LTDFs) often lead 
to the same cryptographic results as lossy trapdoor functions, but in the identity-based setting. 
Namely, in the case of selective adversaries (who choose their target identity upfront in the attack 
game), they imply identity-based deterministic encryption and identity-based hedged encryption. 

Bellare et al. [7] proposed instantiations of identity-based lossy trapdoor functions based on 
bilinear maps and on lattices (as noted in [7J, almost all IBE schemes belong to these families). 
The former makes clever use of an anonymous IBE system (where the ciphertext hides the re- 
ceiver's identity) with pseudorandom ciphertexts whereas the latter relies on lossiness properties of 
learning- with-error-based cryptosystems . 

Throughout the last decade, several generalizations of identity-based cryptography were put 
forth, including hierarchical identity-based cryptography [IT], attribute-based cryptography [26|18| 
or predicate-based cryptography |9|21| . In this work, we will focus on the setting of hierarchical 
identity-based cryptography. Therein, the identities are organized in a hierarchical way, so that a 
user who holds the secret key of an identity id can generate, use and distribute valid secret keys 
for any identity that is a descendant of id in the hierarchy. Hierarchical identity-based encryption 
(HIBE) is of great interest due to both practical and theoretical reasons. On the practical side, 
many organizations and systems that may need (identity-based) cryptographic solutions are or- 
ganized in a hierarchical way. On the theoretical side, generic constructions |12|13j are known to 
transform a weakly secure HIBE scheme (i.e., IND-CPA security against selective adversaries) into 
(public-key) encryption schemes with strong security properties, like chosen-ciphertext security |13| 
or forward-security |3)12j . where private keys are updated in such a way that past encryptions re- 
main safe after a private key exposure. 

Our Contribution. This paper extends to the hierarchical setting the notion of identity-based 
lossy trapdoor function. It is worth mentioning that, using lattice basis delegation algorithms [14J, 
the lattice-based function of Bellare et al. [7J may easily lend itself to a hierarchical extension. Here, 
we focus on pairing-based systems where, as already mentioned in [7], greater challenges are faced. 
Indeed, currently available lattice-based HIBE systems |14|1I2) natively provide anonymity whereas, 
in the hierarchical scenario, anonymity has been harder to obtain in the world of pairings: indeed, 
the first anonymous HIBE construction [10] appeared four years after the first collusion-resistant 
HIBE |17| . Moreover, not all anonymous IBE systems seem amenable for constructing IB-LTDFs, 
as noted in [7J where a new scheme was specially designed for that. 

Using bilinear maps, we thus construct a hierarchical identity-based lossy trapdoor function 
(HIB-LTDF) whose security relies on relatively weak hardness assumptions in groups of prime or- 
der. As an intermediate step, we design a hierarchical predicate encryption (HPE) system |27|24| 
with suitable anonymity properties, which may be of independent interest. Perhaps surprisingly, 
although this scheme is proved secure only against weak selective adversaries (who select their 
target attribute set before seeing the public parameters), we are able to turn it into a HIB-LTDF 
providing security (namely, partial lossiness as defined in [7J) against adaptive adversaries for a 
constant number of levels. 

Beyond its hierarchical nature, our construction brings up an alternative design principle for 
(H) IB-LTDFs: while the pairing-based construction of Bellare et al. [7] builds on an adaptively 
secure anonymous IBE, our (hierarchical) IB-LTDF is obtained from a selectively weakly attribute- 
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hiding (hierarchical) predicate encryption system. In comparison with [7], we thus start from a more 
powerful primitive - because predicate encryption implies anonymous IBE - but only need a weaker 
security level to begin with. Both HIB-LTDF constructions rely on specific algebraic properties in 
the underlying IBE/HPE and neither is generic. 

Combining our HIB-LTDF with existing results in public-key cryptography, we obtain the fol- 
lowing results: (1) the first selectively secure hierarchical identity-based deterministic encryption 
scheme, (2) the first selectively secure hierarchical identity-based encryption scheme that hedges 
against bad randomness as advocated by Bellare et al. [5] , (3) the first forward-secure deterministic 
and "hedged" encryption schemes. Although our scheme is not practical due to large ciphertexts 
and key sizes, it provides the first feasibility results in these directions. 

Organization. After recalling the necessary computational assumptions and the syntax of hierar- 
chical predicate encryption, we introduce in Section [2] the new notion of hierarchical identity-based 
lossy trapdoor functions: we describe the protocols of such functions, and the required security 
property of partial lossiness (in both a selective and an adpative setting). Then, we propose and 
analyze a new hierarchical predicate encryption scheme in Section [3j which is later used as a key 
ingredient in Section where we construct a specific hierarchical identity-based lossy trapdoor 
function and we prove its security. 

2 Background and Definitions 
2.1 Complexity Assumptions 

We consider groups (G, G, Gt) of prime order p for which an asymmetric bilinear map e : G x G — > 
Gt is efficiently computable. We will assume that the DDH assumption holds in both G and G, 
which implies that no isomorphism is efficiently computable in either direction between G and G. In 
this setting, the assumptions that we need are sometimes somewhat stronger than DDH. However, 
these assumptions have constant size and they are not new: for example, the second one was used 
in [E]. 

The Bilinear Dime Hellman Assumption (BDH): in bilinear groups (G, G,Gt) of prime or- 
der p, it is computationally infeasible to distinguish the the distributions 

Di = {(<?, 9 a , 9°, g, 9 a , g\ e{g,g) abc ) I a,b,c^Z p }, 
D 2 = {{g, g a , g c , g, g a , g b , e(g,g) z ) \a,b,c,z£- Z p }. 

The "P-BDHi Assumption: in asymmetric bilinear groups (G, G, Gt) of prime order p, the 
distributions 

Di = {(g, g\ g a \ g c , g, g\ g\ g abc ) \a,b,c£- % P }, 
D 2 = {(g, g b , g ab , g c , g, g a , g b , g z ) \a,b,c,z£- z p }. 

are indistinguishable for any probabilistic polynomial time (PPT) algorithm. 
The DDH2 Assumption: in asymmetric bilinear groups (G, G, Gt) of prime order p, the fol- 
lowing distributions are computationally indistinguishable 

Di = {(g, g, g a , g b , g ab ) \ a,b^Z p } 
D 2 = {(g, g, g a , g b , g z ) \ a,b,z^z p }. 
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2.2 Definitions for Hierarchical Predicate Encryption 

A tuple of integers V = (fJ>i,d; ux, . . . , Vd) such that vq = < v\ < U2 < • • • , < v<i = Ml is called a 
format hierarchy of depth d. Such a hierarchy is associated with attribute spaces {Ui}f =0 . In our 
setting, we set 17, = Zp ! ^ _1 \{0} for i = 1 to d, for some p G N, and also define the universe of 
hierarchical attributes as S := uf =1 (A7i x • • • x £{). For vectors {Aj G ^i}ie{i,...,d}i we wm consider 
the (inner-product) hierarchical predicate f,^ gJYx, . . . , Y K ) = 1 iff I < n and Xj • Yj = for all 
i G {1, ...,.£}. The space of hierarchical predicates is defined to be 

= {f(X!,...,x e )\{ Xi G ^}?G{1,.../}} 

and the integer tz (resp. is called the depth (resp. the level) of (Yi, . . . , Y K ) (resp. (Ai, . . . , X#)). 

Let V = (fj,\, d; V\, . . . , v&) be a format hierarchy. A hierarchical predicate encryption (HPE) 
scheme for a predicate family T consists of these algorithms. 

Setup(A, v)\ takes as input a security parameter A G N and a format hierarchy V = (n\, d; v\, . . . , v^). 

It outputs a master secret key msk and a master public key mpk that includes the description 

of a hierarchical attribute space E. 
Keygen(msk, {X\, . . . , X-ij) • takes as input predicate vectors (X\, . . . , Xf) G E\ x • • • x and the 

master secret key msk. It outputs a private key SK,^ ^ n. 

Encrypt(mpk, (Yi, . . . , Y K ), MJ : takes as input attribute vectors (Yi, . . . , Y K ) G A7i x • • • x A7fc, the 

master public key mpk and a message M. It outputs a ciphertext C. 
Decrypt (mpk, {X\, Xg), SK,^ ^,C): takes in a private key SK,^ for the vectors 

(Ai, . . . , Xi), the master public key mpk and a ciphertext C. It outputs a plaintext M or _L. 
Delegate(mpk, (X\, . . . , Xi), SK,g^ ^,A^ + i): takes in a l-th. level private key SK,^ ^,the 

corresponding vectors (Xi, . . . ,Xi) and a vector Xi+%. It outputs a [i + l)-th level private key 
SK - - - 

Correctness mandates that, for any message M and vectors Xi, . . . , Xf, Yi, . . . , Y K , 

Decrypt(mpk, (X lt . . .,X e ), SK^ A) , Encrypt(mpk, (Yl, . . . ,Y K , M)) = M 

whenever /(^...^C^i, ...,Y K ) = 1. 

Following |24] , we write /' < / to express that the predicate vector of / is a prefix of that for 
/', meaning that /' is at least as constraining as /. 

Definition 1. A Hierarchical Predicate Encryption scheme is selectively weakly attribute- 
hiding if no PPT adversary has non-negligible advantage in the following game: 

1. The adversary A chooses a format hierarchy V = (n\, d; fi, . . . , Vd) and vectors (Y^, . . . , Y®*), 
(Yj , . . . , Y^*), for some d* < d. The challenger generates a master key pair (msk, mpk) <— 
Setup(A, v) and mpk is given to A. 

2. A is allowed to make a number of adaptive queries. 

- Create- key: A provides a predicate f G T and the challenger creates a private key SKf 
for f without revealing it to A. 
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- Create-delegated-key; A chooses a private key that was previously created for some pred- 
icate f and also specifies another predicate /' < / that f is a prefix of. The challenger then 
computes a delegated key SKfi for f without revealing it to A. 

- Reveal-key: A asks the challenger to give out a previously created key. 

For each Reveal-key query (Xi, . . . ,Xg), it is required that 

/(Xi,...,^)^! ' • • -> Y d*) = f(x u ...,x e )( Y ii ■ ■ -i Y d*) = °- 

3. A outputs messages Mq, M\. Then, the challenger chooses {3 {0, 1} and computes a challenge 
ciphertext C* = Encrypt(mpk, (Yf, . . . , ?jl), Ma) , which is sent to A. 

4- A makes further private key queries for hierarchical vectors (X%, . . . ,Xg) under the same re- 
striction as above. 

5. A outputs a bit ft' £ {0, 1} and wins if f3' = (3. 

A's advantage is quantified as the distance Adv(A) = | Pr[/3' = (3] — 1/2|. 

2.3 Definitions for Hierarchical Identity-Based Lossy Trapdoor Functions 

In this section we extend to the hierarchical scenario the definitions for identity-based (lossy) 
trapdoor functions given in [7]. 

Syntax. A hierarchical identity-based trapdoor function (HIB-TDF) is a tuple of efficient algo- 
rithms HF = (HF. Setup, HF.MKg, HF.Kg, HF.Del, HF.Eval, HF.Inv). The setup algorithm HF. Setup 
takes as input a security parameter A and outputs a set of global public parameters pms, which 
specifies an input space InpSp, an identity space IdSp and the necessary mathematical objects and 
hash functions. The master key generation algorithm HF.MKg takes as input pms and outputs a 
master public key mpk and a master secret key msk. The key generation algorithm HF.Kg takes as 
input pms, msk and a hierarchical identity (id i , . . . , id^) £ IdSp, for some I > 1 and outputs a secret 
key SK( idl ic y. The delegation algorithm HF.Del takes as input pms, msk, a hierarchical identity 
(id i , . . . , id^), a secret key SK( idlj for it, and an additional identity id^+i; the output is a secret 
key SK( idl) ... )id ^ idi+1 ) for the hierarchical identity (idi, . . . , id e , \d £+ i) iff (idi, . . . , id^, \d £+1 ) G IdSp. 
The evaluation algorithm HF.Eval takes as input pms, msk, a hierarchical identity id = (idi, • • • , idf) 
and a value X € InpSp; the result of the evaluation is denoted as C. Finally, the inversion algorithm 
HF.Inv takes as input pms, msk, a hierarchical identity id = (idi, • • • , id^), a secret key SKy for it 
and an evaluation C, and outputs a value X £ InpSp. 
A HIB-TDF satisfies the property of correctness if 

HF.Inv (pms, mpk, id, SK, d , HF.Eval (pms, mpk, id = (idi, • • • , id^), X)) = X, 

for any X € InpSp, any pms, (mpk, msk) generated by HF. Setup and HF.MKg, any hierarchi- 
cal identity (idi, . . . , id^) £ IdSp and any secret key SK( idl generated either by running 
HF.Kg(pms, msk, (idi, . . . , id^)) or by applying the delegation algorithm HF.Del to secret keys of 
shorter hierarchical identities. 

A particular way of constructing HIB-TDFs is to consider extended HIB-TDFs; the only dif- 
ference between HIB-TDFs and extended HIB-TDFs is that, in the latter, the algorithm HF. Setup 
specifies in pms an auxiliary input space AuxSp, and HF.MKg takes as additional auxiliary input 
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aux € AuxSp. 

Security. The basic security property of a trapdoor function is one-wayness, which means that 
an adversary cannot invert the function without the suitable secret key. Partial lossiness was 
introduced in [7j, where it was also proven to imply one-wayness. This result is easily extended to 
the hierarchical scenario, and for this reason, we focus on the property of partial lossiness. Before 
giving its formal definition, let us recall the notion of lossiness: if / is a function with domain 
Dom(/) and image Im(/) = {f(x) : x € Dom(/)}, we say that / is o;-lossy if A(/) > u, where 

Let HF = (HF.Setup, HF.MKg, HF.Kg, HF.Del, HF.Eval, HF.Inv) be aHIB-TDF. A sibling for HF is 
an extended HIB-TDF LHF = (HF.Setup, LHF.MKg, LHF.Kg, HF.Del, HF.Eval, HF.Inv) whose global 
setup, delegation, evaluation and inversion algorithms are those of HF, and where an auxiliary space 
AuxSp is contained in pms 4— HF.Setup(A). 

We say that a hierarchical identity id = (id i , . . . , id^) is a prefix of another one id* = (id*, . . . , id**) 
if i < £* and idj = id* for every i = 1, . . . , I. 

Definition 2. For a value 5 6 (0,1), a HIB-LTDF is (u, 5) -partially lossy if it admits a sibling 
for which no PPT adversary A has non-negligible advantage in the following experiment where, 
depending on some secret bit (3 £ {0, 1}, the challenger plays either game REAL (when (3 = 0) or 
game LOSSY (when (3 = 1). Some instructions depend on whether A is a selective or an adaptive 
adversary. 

0. The challenger generates global parameters pms ^— HF.Setup(X) which are given to A who 
chooses an identity id^ = (id \, . . . , idj t ), for some ft < d. 

1. If the challenger plays the game REAL (i.e., if (3 = 0), the challenger runs (mpk, msk) 
HF.MKg(pms) . Otherwise, the challenger is playing the LOSSY game and runs (mpk, msk) <— 
LHF.MKg(pms, id^). The adversary A receives mpk in both cases and a list IS <— is initialized. 

2. B makes secret key queries for hierarchical identities id = (idi, . . . , id^). The challenger responds 
as follows: a) upon a Create-key query, if (3 = 0, the challenger generates a private key as per 
SK( idl \d t \ ^— HF.Kg^pms, msk, (id i , . . . , id^)) and if (3 = I, it generates instead SKftjj y t ) 
LHF.Kg[pms, msk, (id i , . . . , id^)) ; b) upon a Create-delegated-key query, the challenger simply 
runs the delegation algorithm HF.Del on input some secret key previously created at the request 
of A; c) upon a Reveal-key query, the challenger eturns _L if no key was previously created for 
the queried identity id = (id i , . . . , id^) and otherwise, the queried key SKq^ ^ s returned to 
A and the list IS is updated as IS = IS U {id}. 

3. The adversary A outputs a hierarchical identity id* = (id*, . . . , id^*) and a bit d' € {0, 1}. In the 
selective setting, we impose t* = ft and id* = idj for each j G {1, . . . ,£*}. In the adaptive case, 
we require that nor id* nor any of its prefixes was the input of a "Reveal-key" query. 

4- The final output the experiment is defined as follows. If j3 = 0, the experiment simply returns 
^REAL = d' ■ If (3 = 1, the experiment returns ^o^SY = 1 */ ^ e conjunction of events 

{d! = 1) A (A (HF.Eval(pms, mpk, (id*, . . . , id*.), .)) > u 

is true. Otherwise, the experiment returns d^^^j. = 0. 
As in [1], A's advantage is 

Kdvt lo ^{A) = 6 ■ Pr[4 H E F ^ } = 1] - Pr^oss^Y = 1]- 
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Observe that, given that ^REAL * s onr y defined in game REAL (i.e., when /3 = 0), we have 
P r [^REAL^ = 1] = ^ >r [^REAL 4 ^ = 1 1 /5 = 0] and the same holds with C^OSSY- 

3 A Selectively Secure Weakly Attribute-Hiding Hierarchical Predicate 
Encryption Scheme 

We propose here a new hierarchical predicate encryption (HPE) scheme which considers inner- 
product predicates, and which will be used as a key ingredient in the design of our HIB-LTDF, in 
Section [H For simplicity, we assume that vectors of attributes are all of the same length fj, £ N at 
each level. 

The construction is inspired from the Shi- Waters delegatable predicate encryption scheme |27j . 
However, we have to turn it into a predicate encryption scheme for inner product relations (like the 
one of Okamoto and Takashima |24j ) instead of a hidden vector encryption [9] . Another difficulty to 
solve is that we cannot use composite order groups as in |27j because, in our HIB-LTDF of Section 
HI one of the subgroups would leak information on the input in lossy mode (this is actually what 
happened with our initial attempt). For this reason, we chose to work with prime-order groups and 
used asymmetric pairing configurations to anonymize ciphertexts. As a benefit, we obtain a better 
efficiency than by using the techniques of [9] by reducing the number of pairing evaluations. 

Setup(A,^): given A G N and the desired length /i of the attribute vectors at each level, choose 
asymmetric bilinear groups (G, G, Gt) of order p, where p > 2 A . Choose g A G, g G. Then, 
pick a, a v ,a w Z* and set v = g av , v = g av , w = g aw and w = g aw . For i\ = 1, . . . , d and 
%2 = 0, ... choose ai 1: i 2 Z* and compute hi lt i 2 = g a% i^2 £ G and hi lt i 2 = g^i^ g G . The 
master public key is defined to be 



m 



pk:= (v, w, e(g,v) a , {/^Ji^i,...^}, i 2 e{o,... l( u}) 



while the master secret key is msk := (g, g a , v, w, {hix,i2\ix&{i,...,d\, i 2 e{o,...,uv)- 
Keygen(msk, (Xi, . . . , A^)): to generate a private key for vectors (X\, . . . , JQ) with I < d, parse 
msk as (g,v,w, {/iH,i 2 }i ie {i,...,d}, i 2 e{o,...,^})- For h = 1 to £, parse X h as (x iul , . . . ,x iufl ) € Z£. 
Choose r w Z* and r\,...,r£ Z*, for i\ € {1, ...,£}. Then, compute the decryption 
component SKp = (D, D w , {D^}? -J of the key as 

t » 

d = t ■ n ( n K^Y n ■ * ra > a, = ^> Ai = r*. 

ii=l i2=l 

To define the elements of its delegation component SKdl 
({Kj,k}j£{e+i,...,d},k£{i,...,fi}, {Lj}j = e + i, {Lj t k,h}je{£+i,...,d}, fce{i,... l( u}, he{l,...,e}-> 

{L w j,k}je{e+i,...,d}, fce{i,...,yu}) 

pick Sj Z*, s j>kjil Z*, s w>j>k £- Z* for i x G {!,. . .,£}, i 2 G {1, . . . , fJ-} and set: 



ii=l i2=l 
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Lj = v s > L j)ktil = v"i- k *i L wJ>k = v s ™'i' k . 
Output the private key SK,^ ^ = (SKd, SKdl) ■ 

Delegate(mpk, (Xi, . . . , Xg), SK^ g^,Xg + i): parse the key SK^ as (SKd, SKdl)- Given, 
Xg+i = {xe+1,1, xe+i jf i) G Z£, do the following. 

1. Randomize SKdl by raising all its component to some z £- Z*. Call this new key SKdl 
and write its elements with a hat (e.g., Kj^ = Kj k ). 

2. Compute a partial decryption key 

Rt+i = finite = U(fl ■ (TlK e + t k T +1 

fc=l ii=l 12=1 fc=l 

^+i,u = fl = ^ £+Ml for he {!,..., t} 

k=i 

Lg +1/+1 = Lg +1 L w ,g +1 = f[ L x J£l k = , 

k=l 

where we define the exponents sg+i^ = z ■ Ylk=i s £+i,k,h " ^+i,fc f° r *i £ {!)••■ >^}j an d 

3. For all j G {£ + 2, . . . , d}, fc € {1, . . . , fj,}, compute re-randomized versions of the partial 
decryption key by raising the partial decryption key to a random power Tj : k ^* p - 

These values will be used to compute the delegation component of the new key at step 5. 

4. Compute a decryption component SK' D = (D', D' w , {-D^jj^i) for the delegated key by 
setting D' = D ■ Kg +1 , D' w = Au • L Wt g + i. Then, define D' e+1 = Lg + i^g +1 and, for each 
ii G {1, . . .,£}■, set = Ai • ^+Mi- 

5. Compute a delegation component for the delegated key. For each j G {£ + 2, . . . , d}, set 

= Lj. Then, for fc = 1 to fi and zi = 1 to £ + 1, set 

^j^ — ^j^ J^e+i , ^w,j,k — -^w,j,k ^ w / + i ^j,k,h — ^3,k,n ^e+i,i^ 
where Lj^,e+i = 1 for all j, fc. The new delegation component SK' DL is 

({^•,fc}jG{£+2,...,d},fee{l,...,M}'{ L i}i=£+2 ) 

{ L i,fc,n}iG{^+2,...,d}: fce{i,...,M}, ue{i,.-^}> { L ^j,fc}je{€+2,.. .,<*}, fce{i,...,M}) 



Return the delegated private key SK^ x e+1 ) = (SK' D ,SK DL ). 
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Encrypt (mpk, (Yi, . . . , Y K ), M) : given a plaintext M € Gt and vectors Y\ = (1/1,1, • • • , Vi,^)-, • • • > 
Yk = (y K ,i, y*,n), choose s Z* and compute 

Co = M • e(g, C« = C to = u; s , 

{Ci l5 j 2 = (h^Q 2 • hi lt i 2 ) }i 1& {i t ,., tK y t i 2 e{i,...,At}> 

The ciphertext is C = (C , C v , C w , {Ci 1 ,i 2 }i 1 e{l ) ...,K}, i 2 e{l,...,|t}) • 

Decrypt (mpk, (Xi, . . . ,Xi), SK,^ ^ n, C): parse the private key SK,^ as [SKd, SKdl), 

wheie SK D = (D,D W , {Ai}| 1= i) and the ciphertext C as (C ,C V ,C W , {C iu i 2 } il€ { lt ^ K ^ j a6 {i i ... )|t }). 
Then, do the following. 

1. For each index € {1, ...,£}, compute the product = 11^=1 tfkh 2 wmcn equals 

2. Return M if M = Co-e(C v , D)~ l -e(C w , D w ) "111=1 e (^h ; Ai) * s m ^he appropriate subspac^l 
of Gt- Otherwise, return _L. 

Our HIB-LTDF uses the predicate-only variant of the above scheme. This variant is obtained 
by discarding the ciphertext component Co (which contains the payload) and the factor g a from 
the private key component D. 

Although the scheme is only proved secure in the sense of a relatively weak definition (see 
next section), we believe it is of interest in its own right as it seems to be the fastest known 
hierarchical predicate encryption system. Indeed, the number of pairing evaluations only depends 
on the depth £ of the predicate (Xi, . . . ,X#) encoded in the private key and not on the dimension 
n of vectors at each level. This appears to be a unique feature among all known such systems: 
previous constructions cost 0(£ ■ n) pairing evaluations to decrypt. It would be interesting to see if 
a similarly efficient scheme can be proved fully secure. 

3.1 Analysis of the New HPE Scheme 

Let us prove now that our hierarchical predicate encryption scheme is both correct and selectively 
weakly attribute-hiding. 

Correctness 

Lemma 1. The scheme given in Section^ is correct. This is, for any plaintext M and any vectors 
X±,..., Xi, Y±, . . . , Y K , 

Decrypt (mpk, (X u .. . , X t ), SK^ Encrypt(mpk, (Yi,.. .,Y K ),M) = M 

whenever f,^ xaO^Ii ■ ■ ■ > ^k) = 1- This fact does not depend on whether the key SK,^ was 
created using the Delegate or the Keygen algorithm. 

4 As in [9121] . the plaintext space is restricted to have a size much smaller than \Gt | to make sure that the decryption 
algorithm returns _L if an unauthorized key is used to decrypt. 
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Proof. Let SK,^ = (SKd, SKdl) be the output of running the key generation protocol 

Keygen(msk, (X\, . . . ,Xi)Y where each attribute vector is = (x^.i, . . . ,Xi ljfl ) G Zp, for each 
i\ G {1, . . . ,£}. Let us write the decryption component of the key as SKp = (D, D w , {-D«i}f 1= i)- 

Let C = (Co, C v , C w , {C ll! j 2 }j l6 r li )tt } 5 i 2 e{l,...,A*}) ^ e ^ ne ou tput of the encryption algorithm 
Encrypt(mpk, (Y 1 , . . . , Y K ), M), for vectors Y\ = (2/1,1, . . . ,yi tfl ), . . . , Y K = (y K>1 , . . .,y K ^). 

Since f,^ g^JYi, ■ • • > = an( ^ by ^he definition of hierarchical inner-product predicates, 
we know that £ < k and Xi ■ Y{ = for all i G {1, . . . ,£}. Therefore, when the decryption protocol 
Decrypt(mpk, (Xi, . . . , Xj>), SK,^ x e )'^) com P u t es Ci, for each i\ G {1, ...,£}, the obtained 

value equals C\ x = (Il^=i % 2 ) S - The decryption protocol computes then the pairing of this 
element C x with = i> ri i . Multiplying all these pairings, for indices i\ G {1, ...,£}, one obtains 

e > 11^=1 (nf 2 =i ^ii ia 2 )** 1 ) • This value is cancelled out with one of the factors of e(C v ,D), 

when computing the final decryption operation Co • e(C v , D)~ l ■ e(C w ,D w ) ■ Yl i =1 e(Cj 1 , D^). The 
other two factors of e(C v ,D) are e(v s ,g a ) and e(v s , w T ' w ), which cancel out the factor e(g,v) as , 
contained in Co = M ■ e(g, v) as , and the factor e(C w ,D w ) = e(w s ,v Tw ), respectively. Therefore, the 
final computation of the decryption protocol results in the plaintext M contained in Co- 

In this way, we have proved that the encryption and decryption protocols work correctly when 
the original secret keys (resulting from Keygen) are used. The fact that the decryption protocol 
works fine also with delegated secret keys (resulting from Delegate) is a consequence of Lemma 
inside the proof of Theorem Q] below. If a delegated secret key could lead to an incorrect decryption, 
then this fact could be used to distinguish original secret keys from delegated ones, which would 
contradict the statement of Lemma [2 □ 

Attribute-Hiding Property 

The new hierarchical predicate encryption scheme is selectively weakly attribute-hiding under the 
BDH, 'P-BDHi and DDH2 assumptions, as proved below. We want to stress that the security of its 
predicate-only variant (which is the one used as a key ingredient in the design of our HIB-LTDF) 
relies only on the latter two assumptions. 

Theorem 1. The scheme given in Section^ is selectively weakly attribute-hiding if the BDH, V- 
BDH\ and DDH2 assumptions hold in (G,G, Gt)- 

The proof considers a sequence of games starting with the real game and ending with a game 
where the adversary has no advantage and wins with probability exactly 1/2. 

For each i, we denote by Si the event that the adversary wins in Garne^. In the whole sequence 
of games, we call d* the depth of the challenge hierarchical vectors (l^ , . . . , Y^) and (Yj 1 , . . . , Yj*) 
and 

C* = (Q?> C*> C*, {C^ )i2 }j l6 {x ) ...,rf*},i26{i,...,ju}) 
denotes the challenge ciphertext. 

Gameo: is the real attack game at the end of which the challenger outputs 1 in the event, called 
So, that the adversary A manages to output /?' G {0, 1} such that (3' = f3, where (3 G {0, 1} is 
the challenger's hidden bit in the challenge phase. If f3' 7^ ft, the challenger outputs 0. 

Gamei: is identical to Gameo with the difference that the challenger always answers private key 
queries by returning fresh private keys (i.e., keys produced by Keygen) instead of deriving 
those keys using the delegation algorithm. 
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Game2: is like Gamei but the challenge ciphertext C* is now an encryption under (Yf, . . . ,y£,) 
of a random plaintext M Gy, which is chosen independently of Mq and M\. 

Game3: is identical to Game2 with the difference that, in the challenge ciphertext, C* is replaced 
by a random group element chosen uniformly and independently in G. 

Game^ ij (1 < i < d*, 1 < j < fj,): is identical to Game 3 with the difference that, in the challenge 
ciphertext, C* j are replaced by random elements of G if i\ < i or (i = i\) A {12 < j). Other 
group elements (i.e., for which i > i\ or (i = i\) A {12 > j)) are still computed as in a normal 
challenge ciphertext. 

In Game^d*^, it is easy to see that the adversary A cannot guess /3 € {0, 1} with higher probability 
than Pr[5 , 4 ) d*, / i] = 1/2 since the challenge ciphertext C* is completely independent of (3 € {0, 1}. □ 

Lemma 2. Cameo and Gamei are computationally indistinguishable if the DDH2 assumption holds 




Proof. The lemma will be proved by a hybrid argument. We define Gameo, i for all < i < q. Gameo^ 
differs from Gameo in the fact that, when the adversary issues the first i delegation queries, instead 
of generating the delegated keys faithfully using the Delegate algorithm, the challenger calls the 
Keygen algorithm to generate these delegated keys. For all the remaining queries, the challenger 
computes keys and responds faithfully as in Gameo- Under the above definition, Gameo,o is the same 
as Gameo and Gameo j(J is the same as Gamei. We will prove that Gameo A is indistinguishable from 
Gameo, K +i for all < k < q — 1. To this end, we will proceed similarly to [27] and rely on a 
generalized version (called GDDH hereafter) of the DDH problem in G. 
Given a group generator GG, define the following distribution -P(A): 



(p, (G, G, Gt), e) <— GG(A, 1), 
g ^ G, g A G, 
h\ , /12 , • • • , hi 4 — G 




X <- ((p, (G,G,G T ),e), g,g,h\,h 2 , ■ ■ ■ ,he) 

Q<-(hl,h\,...,hj), 

Output (X, Q) 

For an algorithm A, define ,4's advantage in solving the above problem: 



£-GDDH Adv GGi ^(A) := |Pr [A(X,Q) = 1] - Pr [A(X,R)]\ 

where (X, Q) <- P(X) and R <- G e . It is immediatd! that GDDH is not easier than DDH2 and that 
the latter advantage function is negligible if the DDH2 assumption holds in (G, G). 

To prove that Gameo, K is indistinguishable from Gameo jK +i we will use another hybrid argument. 
We define Game K , which differs from Gameo, K in that, for the (k + l)-th delegation query, SKdl 

5 The straightforward reduction computes a GDDH instance from a DDH2 instance (g, g, g a , g b ,i) = g ah ) by setting 
hi = 9** ■ iff' and Qi = (g a ) ai ■ ff - for i = 1 to i with ai, r . , m A Z p , Pi, . . . , fit ^- Zp. If fj = g ab , we have 
Q = (hi, . . . , hf) whereas, if 77 £h G, Q is a random vector of G . 
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is the delegation component of a fresh key, instead of a delegation component obtained by raising 
every element in SKdl to the same random power z £r Z p . We show that a PPT adversary cannot 
distinguish between the two games. 

We also define Game^, which differs from Game 0)K in that, for the (k + l)-th delegation query, 
instead of re-randomizing the components of the partial decryption key with the same exponent 
Tj.k, {-^+1^ j ^w'e+i are ran domized with different independently chosen exponents, while K 1 - k 
is chosen in such a way that the resulting key is still valid. We also prove that no PPT adversary 
can notice the difference. 

We will argue that Game ' K =Gameo, K +i. Indeed, in the first step, we change SKdl so that, in 
step 2 of the Delegate algorithm, we obtain a randomized decryption key (except for the g a term). 
When multiplied by SKd, it gives a randomized decryption key for (X±, . . . ,Xg + \). On the other 
hand, in step 2 of the hybrid proof we change the partial decryption keys so that they also are 
randomized keys except the g a term. 

Claim. Gameo A is computationally indistinguishable from Game . 

Proof. Let go denote the maximum number of secret key queries (taking into account both the 
"Create-key" and "Create-delegated-key" queries) made by the adversary. We build a simulator B 
that uses A to break the following (qodfi(d + 1))-GDDH assumption. 

(p,G,G,Gr,e) A GG(A,1), 

{Vi,i u i2,k <~ ( G}i6{l,...,go},ue{l,...,d},i2e{0,...,/i},fee{l,...,d+l} 
T Z, p 

X 4- ((p,G,G,G r ,e), g,g, {\i 1 ,i 2 ,k}ie{i,...,qo},he{i,...,d},i2e{i,..., f i},ke{i,...,d+i}) 
Q <~ ({^ii,i2,fc}ie{l,...,go},ue{l,...,d},i 2 6{l,...,At},fce{l,-,<i+l}) 

Then, the challenger randomly decides to give (X, Q' = Q) or (X, Q' = R), where R is a random 
vector of elements in G of the size of Q. The simulator will use A as a subroutine to break the 
above problem. 

Init and Setup. At the beginning of the security game, the adversary commits to two hierarchical 
vectors ( Y\ , . . . , YfL ) and {Y\ , . . . , ) , where d* < d. The simulator chooses the public and the 
secret key as usual according to the Setup algorithm. Let c = \og v (w) and a^,^ = \og v (hi 1; i 2 ). Note 
that these values are known to the simulator since they are easily computable from msk. 

Secret key queries. We distinguish three cases: 

• When a "create-key" query or one of the first k delegated secret key queries is made, the 
simulator computes and saves a private key, which is given to A when a "reveal-key" query is 
made. To compute this secret key, the simulator uses the elements from the GDDH instance, in 
such a way that the exponents are distributed at random. In particular, if it is the i-th query, 
the simulator defines the components of the decryption component of the key as: 

D = 9 11 D h -D w , D w = v ifiA4+1 , 
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For the delegation component of the key, for all j E {£+1 ... d}, all k E {1, . . . ,//}, the simulator 
lets: 



— Vij,l,£+li ^j,h,h — Vi,j,k,h H £ {1; • • • j^/j ^ui,j,k — ^i,j,k,d+l- 

As the simulator knows the discrete logarithms c = log fi (u)) and aj 1) i 2 = log fi (hi lt i 2 ), for each 
j € {•£ + 1, . . . d} and all k E {1, . . . , fi}, it can compute the remaining components of the key 
as follows: 

l 

h=i 

• When the adversary makes the (k + l)-th delegation query, it specifies a parent key and asks 
to fix the level of the hierarchy to some vector Xn + \. In particular, assume that the parent 
key was created in the i-th query. When performing Step 1 of the Delegate algorithm, for all 
j E {1 + 2,... d}, k E {1, . . . , fi}, the simulator sets 

L jtk ,h =Qi,j, k ,ii *1 € {!»••• i^h 

Lwj^k = QiJ,k,d+l 

and computes for each j E + 2, . . . d}, k E {1, . . . , //} exactly in the same way as in 

expression (P). 

• For all the remaining queries, the simulator responds faithfully as in the real game. 

Clearly, if Q' = Q in the GDDH instance, then the above simulation is identical to Gameo iK . 
Otherwise, it is identical to Game K since, in the the (k + l)-th delegation query, Q = R implicitly 
defines a set of fresh random values for Sj, Sj^fa, s-w,j,ki f° r the appropriate values of j, k, i\. 

Challenge The simulator generates the challenge ciphertext as normal. 

Guess If the adversary has a difference of e in its advantage in Gameo, K and Game K , the simulator 
has a comparable advantage in solving the GDDH instance. □ 

Claim. Gameg K is computationally indistinguishable from Gameg K . 

Proof. To prove this claim, we will appeal to a nested hybrid argument. Let Game K =Game K , 
and for 1 < r\ < (d—£—l), 1 < v < fj,, define Game K v as the game that differs from Game K in the 

following: in the step of the delegation algorithm where the components {i^/jjijgji e+i}? ^wi+i 
are created by re-randomizing the partial decryption key with some exponent t,-&, we re-randomize 
instead each of these components with a different exponent chosen uniformly and independently 
at random whenever (j, k) < (rj + £ + (in lexicographic order). Observe that, by definition, 
Game fl K d _ e _i „ =Gameo K . We will show that an adversary cannot distinguish between one game 
and the next. That is, if we define and Game _ +1 =Game +1 to simplify the notation, what 
we we will show is that no polynomial time adversary can distinguish between Game K v and 

G ame o,K,i),i/+i' 
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The simulator tries to solve the following (fj,(d + 1))-GDDH instance. 

(p,G,G,Gr,e) A GG(A,1), 

g A G, g A G 

{vi,k <- <£>}ie{i,...,n},ke{i-,-,d+i} 

T -f— - 

X «- ((n, G, G, G T , e), 5, 5, {vi,khe{i,...,ii},ke{i,...,d+i}) 

Q <~ ({^fc}i6{l,...,/i},fc6{l,...,d+l}) 

The simulator tries to distinguish between (X, Q' = Q) and (X, Q' = R) where R is a random 
vector from G. The simulator uses as a subroutine an adversary A who can distinguish between 

The simulator runs the Setup algorithm as usual in such a way that it knows the discrete 
logarithms c = log„(w) = log 5 (u>) and a ili2 = log„(/i il)i2 ) = log c (^ lji2 ) for any 1 < h < d, 
< z 2 < p. 

To answer secret key queries, the simulator proceeds as follows: 

• For the first K-th delegation queries and all of the "create-key" queries, the simulator computes 
the keys freshly at random. 

• At the (k + l)-th delegation query, the adversary specifies a parent key and requests to fix the 
{£ + l)-th level of the hierarchy to Xe+i- To answer this query, the simulator first generates 
some components of SKdl simply by choosing at random the values Lj,L w jk for all j € 
{£ + 2, . . . , d}, k € {1, . . . , fx}, i\ G {!,...,£}. To compute the remaining components and the 
decryption key component, the simulator sets 

Le + i, h = f[ L X / + \tn = fli**)*™ ii € {1, . . . 

k=l k=l 

Le+i,e+i = Lg + i = vi,e+i 



k=l k=l 



Since the simulator knows the discrete logarithms c = log^(io) and aj lj j 2 = log i) (/i.j li j 2 ), the 
remaining components of SKdl and those of the partial decryption key can be generated 
efficiently in the same way as in the proof of indistinguishability of Gameo, K and Gameg re . In 
particular, the simulator can compute 



ts _ TT TT r a n,»2 rELi"'+i 1 * jc 



ii=l 12=1 



To create , 1 } il6 {i,...^+i}, L^f +l , if (j, k) < (rj + £ + (in lexicographic order), 

the values are chosen as fresh random delegation keys. For the (r)+£+l, u+1) partial decryption 
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key, the simulator lets 



f{{Q' Kh ) Xt+1 ' k ^l€{l,...,n 
k=l 

Qi,e+i 

f[(Q' k , d+ i) xe+1 ' k - 
k=i 

Again, as the simulator knows the discrete logarithm of w,hi lt i 2 w.r.t. the base v, the remain- 
ing terms - including K^T^^ 1 '"^ - can be generated efficiently. For the remaining partial 
decryption keys, the simulator generates them faithfully using the Delegate algorithm. 
• The remaining delegated key queries are generated faithfully. 

Clearly, if Q' = Q in the GDDH instance, then the above simulation is identically distributed as 
Gameg K v , otherwise it is identically distributed as Game^ KT)V+ i- 



(r)+e+l,u+l) 

'e+i,h 



'e+i,e+i 

'w,i+l 



The simulator generates the challenge ciphertext as normal and sends it to the adversary. If the 
adversary has e difference in its advantage in Gameg K)J?l , and Gaineo j/t ^ jJ/+1 , it is not hard to see 
that the simulator has a comparable advantage in solving the GDDH instance. □ 

Lemma 3. Game\ and Game2 are computationally indistinguishable if the BDH assumption holds 
in (G, G, Gt). 

Proof. Assume that there's an adversary A that can distinguish between Gamei and Game2- We 
build an adversary B that uses A as a subroutine to break the BDH assumption. The simulator B 
receives as input 

(g,g a ,g c ,g,g a ,g\Q'), 

where Q' is either e(g,g) abc or an element chosen uniformly at random in Gt- 

The adversary A commits to two vectors (Y®, . . . , Yjj*) and (F/, . . . , Y}*). The challenger B 
picks ft {0, 1}. If d* < d, the simulator picks at random d — d* vectors Y^ +v . . . ,y£ G Zp. 
The simulator B runs the Setup algorithm as usual except that it implicitly sets a to be ah by 
defining e(g,v) a = e(g a ,g b ) av , and then, for i\ = l,...,d and 12 = l,...,/x, it defines = 
(g,a)«»iJ/»i,»2 ^*n,»2 for i\ G {1 . . . , d}, %2 G {1, . . . , n} and h ilt0 = (g a )~ Zl1 , for some random exponents 
z h ' hi, is- The values of for i\ G {1 . . . , d}, %2 G {0, . . . , //} are defined similarly from the value 
g a of the BDH instance. Observe that /3 remains hidden from A and that the parameters are 
correctly distributed. 

For the secret key queries, in the last lemma we have just proven that delegated keys are 
indistinguishable from freshly generated ones. Therefore, B will generate the secret keys using 
algorithm Keygen when a reveal query is made. Note that a is defined as ab, which is not known to 
B. However, B needs to simulate secret keys for (X\, . . . , Xe) as long as f,^ x e )(¥i > ■ ■ ■ > ^d*) = ^ - 
As a doesn't appear in the delegating component of the key, the delegation component of the 
secret keys SKdl can be created using the parameters as usual. Therefore, from now on we focus 
on how to create the decryption component of the secret key. Denote by £' the index of the smallest 
element of the vector (X\, ... ,Xg) for which Xgi ■ Y^ / 0. This value £' always exists if £ < d* by 
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hypothesis and exists with overwhelming probability if £ > d*, since the vectors Y£, +1 , ■ ■ ■ , Yjj[ G Z p 
are completely hidden from A's view. 

The simulator creates the decryption component of the secret key as follows: 

d = a ab n n 

h = l Vi2=l / 
where the term g ab ^nf 2 =i ^e tf^ * ^ s computed as 

while the other terms in the product are just computed as usual. It is not hard to see that, if 
we define re = ry — b/{z(,iX^ ■ Y?,), then the computation is correct. All the other terms in the 
decryption component can be computed efficiently, since the simulator knows all the parameters 
needed and it also knows g b . 

At the challenge step, the adversary A gives B two messages, Mq and M\. B then computes 

Co = Mp ■ (Q') av , C v = (gT v , C w = {g c T- , 

i C h,i2 = (9 C ) tn '' 2 }he{l,...,d*}, i 2 6{l,...,/x} 

It is not hard to check that the challenge ciphertext is correctly distributed. 

Finally, when the adversary A outputs a guess /3 r , if (3 = (3', then B guesses that Q' = e(g, g) abc 
and if j3 ^ /3' guesses that Q' = R. If A has e advantage in distinguishing between the two cases, 
then B also has e advantage in solving the assumption G3DH instance, except in the case that A 
managed to output some secret key query for vector (Xi, . . . ,X() for which Xi ■ Yf = for all 
i = d* + 1, . . . , d was zero for all i € {1, ... , d}, which occurs only with negligible probability. 

Lemma 4. Gamei and Game^ are computationally indistinguishable if the V-BDH\ assumption 
holds in (G, G). 

Proof. Assuming that the adversary A outputs f3' = (3 with noticeably different probabilities in 
Game2 and Game3, we build an distinguisher B for the P-BDHi assumption . 
Namely, algorithm B receives as input a tuple 

(g, g\ g ab , g c , g, g a , g b , g z ), 

where a,b,c Z p . Its goal is to decide if z = abc or z £r Z p . 

To this end, B interacts with A as follows. It first receives the vectors (Yq, . . . , Y®*), (Yq, . . . , 
at some depth d* < d, that A wishes to be challenged upon. We may assume w.l.o.g. that B chooses 
its challenge bit /3 {0, 1} at the beginning of the game. Also, if d* < d, for each i £ {d* + l, . . . ,d}, 
B defines the vector Yf random vector of Zp. 

It defines the master public key by setting e(g,v) a = e(g,g) a ' Jv and 

tv 

v = g , 

h h ,o = (9 b r^ h€{l,...,d} 

h h ,i 2 = (g b y^ <^ -g^ he{l,...,d}, i 2 e {1, . . . (2) 

w = g y-( g ab r, 
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where a, "f v ,x, y Z p and 7i 1( i 2 Z p , for each %\ G {1, . . . , d}, 22 € {0, . . . , fi}. For each ij, we also 
define the vector 7^ = (7^,1, . . . , 7«,/x) € Zp 1 . We observe that £> does not know w (which depends 
on the unavailable term g ab ) but can compute {^ii,i 2 }i 1 e{i,...,d},i 2 e{i,...,M}' 

When the adversary A requests a key for a hierarchical vector X = (X\, . . . , X|), ,6 parses 
as (xij,!, . . . , Xi ltfl ) G Zp for each i\ G {1, . . . , £f . Then, $ responds as follows. 

• If £ < d*, let i G {1, ...,£} be the smallest index such that X{ ■ Yf 7^ (by hypothesis, this index 
must exist). By choosing r w Z p and A Z p , £> implicitly defines the exponent 



n + 



7i,o ' ^ • if 



and can compute 



(II ■ ™ rw = ( n • ccs 6 )-™-*^ • s*-^) 

«2 = 1 «2 = 1 



(II <;?)' •(//') 1 - v ^-/y 



i 2 = l 

without knowing g ab . Similarly, it can compute 

Di = V fi = g" iv ' Ti ■ (g a y-»-r w -x/(-y lfi -X-Yf) 

as well as D w = v Tw . 

We now turn to indices i\ G {1, . . . ,£}\{i}, for which B can trivially compute (nf 2 =i ^ii* 2 ) ril 
and Di ± = v Vi i • Sv^ since it knows {hi lt i 2 }f and v. This suffices for computing the whole 
decryption component SKd of the private key. 

As for the delegation component SKdl, B can compute {Kj i k}je{£+i,...,d},ke{i,...,iJ,}^ {^j}j=e+l 
and {L w j t k}j,k by applying exactly the same procedure as for D, Di and D w (and taking advantage 
of the fact that X{ ■ Y- 7^ for at least one i G {1, . . . ,£})■ Remaining pieces of SKjjl are then 
trivially computable since B has {^«i,j 2 }f 2= o an d v at disposal. 

• If £ > cZ*, it can be the case that X t ■ Yf = for i = 1 to £. However, with overwhelming 
probability, there must exist i G {d* + 1, . . . ,£} such that Xi ■ Yf 7^ since the vectors id*+i, • • • , id 
have been chosen at random and, due to the generation of the public key as per ([2]), they are 
completely independent of view. It comes that B can generate a private key in the same way 
as in the case £ < d* (see equation ([3])). 

When B has to construct the challenge ciphertext, B sets Co = M -e(g c , g' 7 ") , where M A Gt, 
and 



{g c V\ c w = ( 9 c )y ■ { g z y 



C ix ,n = [g c V n ' 12 h e {h ■■■,<?}, 12 e {1,...,//} 

We observe that, if z = abc, (Co, C v , C w , {C^^^g/i . i d*},i 2 e{i, corresponds to a valid cipher- 
text with the encryption exponent s = c. In this situation, B is playing Game2 with A. 
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In contrast, if z G_r Z p , we have z 7^ c with overwhelming probability. In this case, we have 
g z = gabc+e ^ £ Qr gome # ^ 0, and we can thus write C w = w c ■ g e ' x . This means that C w looks 
uniformly random and independent from A's view. Indeed, until the challenge phase, A has no 
information about 6 G Z p (recall that public parameters do not depend on c) and the value x G Z pi 
is also independent of A's view. We conclude that, if g z is such that z Gr Z p , we are in Game3. □ 

Lemma 5. For eac/i <5i € {1,. . . ,d} and each 82 G {2, . . . ,fj,}, Game^fe-i and Game^Sifo are 
computationally indistinguishable if the V-BDH\ assumption holds in (G, G). 

Proof. Towards a contradiction, we assume there exists <5i,o~2 such that the adversary A outputs 
(3' = f3 with significantly different probabilities in Game4 j( $ 1)( $ 2 _i and Game^^. We show that A 
implies a distinguisher B against "P-BDHi . 

Our distinguisher B receives as input [g, g b , g ab , g c , g, g a , g b , g z ) , with a,b,c Z p . It aims to 
decide if z = abc or z G_r Z p . 

To do this, B runs the adversary A as follows. It first receives the challenge vectors (F °, . . . , Y®*)-> 
(Yq , Y]i ) , at some depth d* < d, that are chosen by A. We assume that B chooses its challenge 
bit f3 A {0, 1} at the outset of the game. Also, if d* < d, for each i G {d* + 1, . . . , d}, B defines the 
vector Yf random vector of Z„. 

It defines the master public key by setting e(g,v) a = e(g,g) a ' lv and 

v = gi", 

hh,o = gll 1 ' for i\ G {1, . . . ,d} 

Km = g-^'°' y ^ ■ g^ if n g {l, . . . , d}\{8 ± } or i 2 g {l, . . . , ^}\{<5 2 } 

hs 1 M=9~ 1SlWs ^-(g ah y 5 ^ (4) 

w = g y-( g b r, 

where a, j v , y Z p , x Z* and 7j 1; j 2 Z p , for each i± G {1, . . . , 0!}, 22 G {0, . . . , fi}. For each i±, 
we also define the vector 7^ = (7^ 1, . . . ,7^,^) G Z p . Note that, in the implicitly defined master 
secret key msk, the distinguisher B knows all the components but hs lt s 2 , which depends on the 
unknown term g ab . 

When the adversary A requests a key for a hierarchical vector X = (Xi, . . . , Xg), B parses X^ 
as (xi 1: i, . . . ,Xi ltfJ/ ) G Zp for each i\ G {1, . . . ,£}. Then, B responds as follows. 

• If £ > Si, B chooses r' w A Z p and rg 1 Z p , B implicitly defines the exponent 



r' w - Q ' r<5i ; 75l ' fe (5) 



and can compute the product 



(hit ■ K,s 2 ) T ' h ■ * r - = (g ab V^ r ^ ■ w r - ■ ^j^A/' (6 ) 

= w r ' w ■ (g a yy rs i-^i,i2/ x t 

which is the only factor of D that it cannot trivially compute without knowing g ab . Similarly, it 
can compute D w = v Tw = g^ v ' r '^ ■ (g a ) - T" -r «i - T<5i,«2/ x . 

To generate the delegation component SKdl of the key, the reduction B is able to compute 
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{e+i,...,d},ke{i,...,n} repeating (d — £)-fi times the same procedure as for computing 

D and D w . 

• If I < Si, B can directly compute {D, D w , {-Dii}l = i) since it knows {^i 1 ,i 2 }iie{i,...,B,i2e{i,...,/d-! ^ 
and i<). The difficulty is to compute the delegation components {Ks lt k}k=i without knowing g ab . In 
fact, among these components, the only factor of K$ lt $ 2 that B cannot trivially compute is hg Sl s . 

However, similarly to dS])-©, it can choose s^, s' w ^ S2 A Z p , define s w> Si,6 2 = s 'w,Si,S 2 _ " J* 1 
and compute the product 

= (g~' ySl - ' Vs i^2' s ^) ■ u)V*i.«2 ■ [g a )-y s s 1 -'ys 1 ,s 2 /x ff\ 
In the same way, B computes 

Note that, for each k G {1, . . . ,/x}\{52}, B has to generate K$ 1: k by computing hg Sl k using the 
same random exponent ss 1 as in 0. This is always possible since B knows that exponent. 

When it comes to construct the challenge ciphertext, algorithm B first sets Co = M ■ e(g c , g lv ) a , 
where M Gt- It also chooses r w ^- G and computes 



w • 



Cv — {9 c j i C w — r, 

as well as 

C iui2 = (g c r^ if (ii > <5i) v ((*! = *!) A (ia > S 2 )) 

c Sl fy = (ST' 1 -' 2 

If i\ < 5\ or = 5\ and &2 < ^2> then i 2 is chosen uniformly in G. 

We observe that, in the situation where z = abc, (Co,C v ,C w ,{Ci lt i 2 } iie {i ,... : d*},i 2 e{i, -,n}) ^ s 
distributed in the same way as in Game4 ^ $ 2 _i. 

In contrast, if z Er Z„, we have z ^ c with overwhelming probability. In this case, Cs lt s 2 looks 
random to the adversary and B is thus playing Game^ t $ 2 . □ 



4 A Hierarchical Identity-Based Lossy Trapdoor Function 
4.1 Intuition 

From the HPE scheme of Section [31 our hierarchical lossy function is obtained by including a n x n 
matrix of HPE ciphertexts in the master public parameters. As in the DDH-based lossy function of 
Peikert and Waters [23], each row of the matrix is associated with an encryption exponent, which is 
re-used throughout the entire row. Each column corresponds to a different set of public parameters 
in the HPE system. 

Depending on whether the public parameters of the HIB-LTDF are prepared for the injective 
mode or the partially lossy mode, all HPE ciphertexts in the matrix correspond to different hierar- 
chical vectors (yi, . . . ,y^) £ Zp'^. The selective weak attribute-hiding property of the HPE scheme 
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guarantees that the two setups are computationally indistinguishable. 

In order to evaluate a function for some hierarchical identity id = (idi, . . . , id^), the evaluation 
algorithm first computes a transformation on HPE ciphertexts. During this transformation, inner 
products of the form (v^id^) are calculated in the exponent for i\ = 1 to I. The transformation 
gives a n x n matrix (jlOp of anonymous HIBE ciphertexts that are always well-formed in non- 
diagonal entries. As for diagonal entries, they contain "perturbed" HIBE ciphertexts: at each level, 
one ciphertext component contains a perturbation factor of the form (y^id^). In this matrix of 
HIBE ciphertexts, random encryption exponents are again re-used in all positions at each row. 

The function evaluation is then carried out as in [25] , by computing a matrix- vector product in 
the exponent and taking advantage of homomorphic properties of the HIBE scheme over the ran- 
domness space. The function output can be seen as a set of n anonymous HIBE ciphertexts - one 
for each input bit - which are well-formed ciphertexts if and only if the corresponding input bit is 
(i.e., if and only if the perturbation factors {(y^ , id^)}^^ are left out when computing the matrix- 
vector product in the exponent). The function is thus inverted by testing the well-formedness of 
each HIBE ciphertext using the private key. 

In the injective mode, the public parameters are generated in such a way that, for all identities 
id = ( id i , . . . , id^), we have (y^, id^) ^ for each i\ G {1, . . . ,£}. In the partially lossy mode, we 
have (yi 1 , id^) = for each i\ G {1, . . . , £} with non-negligible probability. In this case, the inversion 
algorithm always outputs n , regardless of the input. 



4.2 Description 

HF.Setup(A, d, n, jj): given a security parameter A G N, the (constant) desired number of levels 
in the hierarchy d G N and integers /i, n G poly(A) specifying the length of identities and that 
of function inputs, respectively, choose asymmetric bilinear groups (G, G, Gt) of prime order 
p > 2 A . Define InpSp = {0,l} n , U iD = {(l,x) : x G Zp 1 " 1 } and IdSp = . The public 

parameters are pms = (p, (G, G, Gx),d, n, fj,, InpSp, IdSp) . 

As in [7], the master key generation algorithm of our HIB-TDF receives an auxiliary input y. Here, 
it is a concatenation of row vectors yi, . . . , y<j G Zp. 

HF.MKg(pms, y): parse the auxiliary input as y = [yi| • • • |yj G Zp' 4 , and proceed as follows. 

1. Choose a v A Z*, a w A (Z*) n , and a h £- (Z*) dx ^ +1 ^ xn . Define v = g a \ v = g a \ 

w = g aw G G n and w = g a ™ G G n . Likewise, set h = g ah G G dx ^ +1 ^ xn and h = 
g<* h G Qdx(n+l)xn_ Define 

PPcore ■= (v, {w[Zi]}£ =1 , {h[*i, % 2 ,h]}he{l,...,di,i a e{0,...,ft}, h£{l,...,n}) 

2. For i\ = 1 to d, parse y^ as (y^ [1], . . . , y^ [fi]) G Zp. For l 2 = 1 to n, conduct the following 
steps. 

a. Choose s[l 2 ] Z* and compute J\U = V S M as well as 

c4i 2 ,y = w[/i]*i 

C[n, i 2 , l 2 , h) = (h[i a , 0, h]**i N-^'O . h[iu i2} h] yM 

for each %\ G {1, . . . , d}, i 2 G {1, . . . , p}, l\ G {1, . . . , n}. 
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b. Define a n x n matrix {CTp2, ^l]}i 2 ,2 1 e{i,...,n} °f HPE ciphertexts 

CT[l 2 ,h] = (j[l 2 },C w [l 2 ,h},{C[ii,i2,l2,h}} h e{i,...,d}, ■ ( 8 ) 

The master public key consists of mpk := (PP CO re> {CTp2, h]}i a ,he{i,—,n}) wnue the master 
secret key consists of msk := rD,w,h). 

HF.Kg(pms, msk, (idi, . . . , id^)): to generate a key for an identity (idi, . . . , id^) G IdSp, parse msk 
as (y, w, h) and id^ as id^ [1] . . . idj x [/j] for i\ = 1 to I. Choose r^, ri, . . . , (Z*) n . For each 
Zi G {1, . . . , n}, compute the decryption component SKo = (D, D w , {D^ Yi 1= i) °f the key as 

i M 

Dpj] = II ( II h[n,i 2 ,/i] id ^ [l2] ) ril[/l] • w[/i] r -^, 

»1=1 *2=1 

D^JiHt^K D fl [l 1 ]=t) r 'iPJ (9) 

and the delegation component 

SK DL = ({K[7,fc,Zi]}j )feiJl , {L\j,h]}j,h, {L[j^k,ii,h]}j )k: i uh ,{L w [j,k,l 1 ]} j:k ^ 1 ), 
with j G {£ + 1, . . . , eZ}, k G {1, ...,//} and ii G {1, ...,•£} as 

K[7,fc,zii = n (n b[h,hjif di i [i ^^ 

ii=l 12=1 

Ltf,Zi] = t) s ' Wl] , L[j, h,h] = v s ^M and L w [j, k, h] = fi^bWJ. 

Output SK (idli = (SKd,SK dl ). 

HF.Del(pms, mpk, (idi, . . . , id^), SK( idlj i d£ ), id^ + i) : parse SK( idlj j d£ ) as a HF private key of the 
form (SKd, SKdl), and id^+i as a string id^+ifl] . . . id^+if/z] G £\d- 

1. For Zi = 1 to n, define auxiliary master key pairs (msk[Zi], mpk[Zi]) as 

mpk[Zi] = (u,w[li],{h[ii,»2,i]}« l6 {i,...,ct>,ia6{o,...,M})- 
Define £-th level HPE keys SK( idl) ... )id£ )pi] = (SK D [Z X ], SK DL [h]) where 

SK IJ pi] = (D[Zi],D to p 1 ] ) {Di 1 [Zi]}| 1=1 ) 
SK DL [Zi] = ({K[j,k,h)} jik , {L[j,h]}j, {L[j,k,i 1 ,l 1 ]} jAil ,{L w [j,k,l 1 ]} jtk ). 

2. For Zi = 1 to n, run Delegate(mpk[Zi], (idi, . . . , id^), SK( idl id £ ) [^i] ? 'd^+i) (as specified in 
Section© to get SK (idl> ... jid<jid/+l) p 1 ] = (SK' D Pi], SK^pi]).' 

Finally return {SK (idlv .. >id ^ id£+l) [Zi]}[ l i=1 . 

HF.Eval(pms, mpk, (idi, ■ ■ ■ , id^),X): Given a n-bit input X = x\ . . . x n G {0, 1}™, for i\ = 1 to £, 
parse idj x as id^fl] . . . id^f/x]. For Zi = 1 to n, do the following. 
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1. For each Z 2 G {1, . . . ,n}, compute modified HPE ciphertexts by defining 

Ci d [*i,fe,*i] = II C[ii,*2,i 2 ,ii] id<l[<al 

= (h[<i,0,Zi]^.'*i>^'«W • f[ h[n,^Ji] id - N ) S[ ' 2] 

for each i\ G {1, . . . , £}, ii, Z2 6 {1, • ■ • , w}. The modified ciphertexts are 

CT id [l 2 ,h] = (J[Z 2 ],{CT id [i 1 ,Z 2) Z 1 ]}f l=1 ) eG w . (10) 

The resulting {CTj^[Z 2 , ^i]}z 2 ,/ie{i,...,n} thus form anxn matrix of anonymous HIBE cipher- 
texts for the identity id = (idi, . . . , id^). 

2. Compute C id>v = ]J1 2 =i = as well as 

n 

CT id ,4Zi] = H C w [l 2 ,h] x <2 = w[h)< s > x l 

n 

CT id [ii,Zi]= JJC id [ii,i 2) Zif' a 

h=i 

= h[ii,0,Zi] 8 [ ,1 ] ,!B *i-< sri i' Wi i> • ([J h[n,i 2 ,Zi] idll[i2] ) <S ' X> (11) 

12=1 

Then return the output 

C= (C\d tV , {CT id)lu [Zi]}" i=1 , {CT id [zi, Zi]} il£ {i i ...,£} : i ie {i ,...,„.}) £ G n+1+nx '. (12) 

HF.Invfpms, mpk, (idi, . . . , id^), SK(| dl) # j d ^), C): parse the decryption component SK.D of the pri- 
vate key as a tuple of the form (D, D TO , D^, {D^}| =1 ) and the output C as per (fT2"j) . Then, for 
l\ = 1 to n, set acjj = if 

e(Q dtV ,U[h}) ■ e(CT id , 1i) [Z 1 ],D ?i ,[/ 1 ])- 1 • [] eiCT^l^U^h])- 1 = 1 Gt . (13) 

ii=l 

Otherwise, set x^ = 1. Eventually, return X = cci . . . x n G {0, l} n . 

From (jlip . we notice that, with overwhelming probability, if there exists some i\ G {1, . . . , d} such 
that (y^, idjj) 7^ 0, relation (fT3j) is satisfied if and only if = 0. Indeed, in this case, the output 
(|12p is distributed as a vector of n Boneh-Boyen HIBE ciphertexts (in their anonymous variant 
considered in [E]). These ciphertexts correspond to the same encryption exponent {s,X) and are 
generated under n distinct master public keys sharing the same component v G G. 

When the function is implemented in injective mode, the auxiliary input consists of a vector 
y(°) = [(1,0, . . . , 0)| . . . |(1, 0, . . . , 0)] G Zp M . Since id^ [1] = 1 for each i\, this guarantees injectivity 
since (y$ , id^) 7^ for each i\. 
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4.3 Security Analysis 



We prove that the HIB-LTDF in the previous section satisfies the required security property (Def- 
inition [2]), both against selective and adaptive adversaries. 

To analyze the security of the scheme, in both the adaptive and the selective cases, we define two 
experiments, RLq and RL n . In both of them, HF. Setup is run and the public parameters are given to 
the adversary. Algorithm HF.MKg is run with auxiliary input y (0) = [(1, 0, . . . , 0) | . . . | (1, 0, . . . , 0)] 
in RLq, and with auxiliary input yW = [y^ 1 | . . . \y]p] in the experiment RL n , where y^ 1 ) is 
produced by an auxiliary input generator Aux(id) taking as input a special hierarchical identity 
id = (idx, • • • , id^). The master public key mpk is given to the adversary. The adversary can request 
secret keys for identities id, as in definition [21 which will be answered using HF.Kg and HF.Del and 
will be added to IS, which is initialized to IS = {0}. Also, the adversary will output a hierarchical 
identity id*, as in definition [2j Finally, the adversary will output a guess d! . Both in RLq and 
RL n , the experiment will halt and output if a) for any id = (idx, • • • > '^e) £ IS we have that 
{y£\ m \d h ) = for each h G {1,...,^} or b) if (y£\ id*) ^ for some h G {1,...,^}. If the 
experiment has not aborted, it will output the bit d! . 

In both the selective and the adaptive cases, security will be a result of the following lemma, 
that we prove in a different section. 

Lemma 6. Under the V-BDH\ and DDH2 assumptions, the experiments RLq and RL n return 1 
with nearly identical probabilities. Namely, there exist PPT algorithms B\ and B 2 such that 

\Pt[RLq => 1] - Pr[RL n => 1]| < n ■ ((d ■ // + 1) • Adv p " BDHl (fix) + q • Adv p " DDH2 (B 2 )) , 

where q is the number of "Reveal-key" queries made by the adversary A. 

Proof of Lemma [6] 

We consider a sequence of n + 1 hybrid experiments RLq, . . . , RL n . For each k G {0, . . . ,n}, RL^ is 
defined to be an experiment where public parameters are generated as follows. First, the simulator 
B chooses »f G,wAG",wAG",hA Qdx(n+l)xn^ ^ £. Qdx(»+l)xn and computes pp core in 

the same way as in the real scheme. 

In the second step of the setup procedure, the simulator B chooses a vector s -G- (Z*) n . For 
h,h £ {1 5 • • • 1 n}, it first computes 

m = v s[h \ 

C w [/ 2 ,/ 1 ]=w[/ 1 ] s ^. 
Then, for each pair (Zi,^) such that l\ 7^ I2, B sets 

Finally, for each I G {1, . . . , n}, i\ G {1, . . . , d} and i% G {1, . . . , fj,}, B defines 

/ \ s[l] 

C[h,i 2 ,l, 1} = (h[h, 0, l] y h [i 2 ] • h[ii, i 2 , 1]) iil<k, 
C[h,i 2 , 1, 1] = (hlh, 0, l] y h [i 2 ] ■ h[h,i 2 , 1)) if I > k. 
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Lemma [7] demonstrates that, for each k G {1, . . . ,n}, experiment RL^ is computationally indistin- 
guishable from experiment RLk-i- 

If we assume that the statement of Lemma [6] is false, there must exist k G {1, . . . ,n} such that 
the adversary can distinguish RL& from RLk-i and we obtain a contradiction. □ 

Lemma 7. If the HPE scheme described in Section [3] is selectively weakly attribute-hiding, then 
Game RL^ is indistinguishable from Game RL^-i for each k G {1,... , n}. Namely, for each k, 
there exist algorithms B\ and B 2 such that 

\Pr[RL k 1] - Pr[i?L fc _x =M]| < (d - /*+ 1) ■ Adv v - BDHl (B^ + q ■ Adv p - BDH2 (B 2 ), 

where q is the number of "Reveal-key" queries made by A. 

Proof. For the sake of contradiction, let us assume that there exist two auxiliary hierarchical vector 
y(°) = [y^| • • • |y^L y*' 1 '' = [yi I • • • |y^] an< ^ an index k G {1, . . . ,n} such that the adversary 
A has noticeably different behaviors in experiments RL k and RL k _i. Using A, we construct a 
selective weakly attribute-hiding adversary B against the HPE scheme described in Section [3] (in 
its predicate-only variant). 

Our adversary B first declares y(°) , yW G Z p ^ as the vectors that it wishes to be challenged 
upon. Then, the HPE challenger provides B with public parameters 

m P k HPE = ( u i w i {hi 1 ,i 2 }i 1 e{i,...4},i2e{o,...,iJ.})- 

Then, B chooses a vector £ and a matrix 7 G Zp X ' ^ xn , wri i cri it uses to compute 

w[ii] = for h G {1,... ,n}\{k} 

h[h,i 2 , h) = v^iMh] for i ie {l,..., d}, i 2 G {0, . . . , fi}, he {I,..., n}\{k}. 

It also sets w[k] = w as well as 

h[ii,i 2 , k) = h il>i2 for i\ G {1, . . . ,d}, i 2 G {0, . . . ,ji}. 

Then, B defines core public parameters 

PPeore = (v, {w[Zl], {h[z'i, l 2 , ^l]}t 1 e{l,-,d},i 2 e{0,...,/i}, he{i,-,n}) ' 

that correspond to the master secret key msk = (0,w, h), which is not completely known to B 
(specifically, -0, w[k] and h[.,.,fe] are not available). Then, B notifies its HPE challenger that it 
wishes to directly enter the challenge phase without making any pre-challenge query. The challenger 
replies with the challenge ciphertext 

= [pv > C w , {Cii,i 2 }iie{l,...,(i}, i 2 e{l,...,A»}) J 

where 

Cu = w , C w = w , 
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{ Cii,i 2 = (^u^O 2 ' ^1^2) }iie{l,...,d}, t 2 e{l,...,M}' 

for a random element s ^- Z* and a random bit /3 € {0, 1}. Here we are using, for (3 G {0, 1}, the 
notation y(/3) = [yf > | . . . |yf ] G Z*", where each yf = (y^, y<«) G Z£, for he {I,..., <£}. 
At this point, B constructs the matrix {CT[h,i2]}ii,i 2 e{i,—,n} of HPE ciphertexts by setting 

m = c v 

C w [kj k] = C w 

C[h,i 2 , k, k) = C ilt i 2 for h e {I, . . .,d}, i 2 G {1, • • . 
and, for each l\ G {1, . . . , n}\{k}, 
C w [k,h] = C^ 

C[i l ,i 2 ,k,h] = CZ [n ' t2 ' k > h] forn e{l,...,d}, i 2 e{l,...,»}. 

Note that this implicity sets s[k] = s, where s is the encryption exponent chosen by the HPE 
challenger to compute C*. Then, for each l 2 G {1, . . . , n}\{k}, B chooses a random exponent 
s[l 2 ] A Z* and computes 

Jp 2 ] = v s ^ (14) 
C w [l 2 ,h]=w[h] s ™ iovhe{l,...,n}\{l 2 } 
C[h,i 2 ,l 2 ,h] = h[ii,i 2 ,/i] s[i2] for h e {1,... ,d}, i 2 G {1,. . . ,fi}, 

h e{l,...,n}\{l 2 } (15) 

As for entries of the form {C[h, i 2 , 1, l]}i lt i 2 ,i^k) & computes them as 

C[h,i 2 ,l] = (h[ii,0,i] y *?[i 2 ] •h[i 1 ,f 2 ,Z]) 8[,] ifl<k 
C[h,i 2 ,l] = (h[hAl] y ^[i2]-h[h,i 2 ,l}) s[l] if I > k. 



using the exponents s[l] G Z* that were chosen in (|14p . Finally, our adversary B defines the n x n 
matrix {CT[Z 2 , h]}i 2 ,he{l,...,n} °f HPE ciphertexts 

CT[l 2 ,h] = {J[l 2 ],C w [l 2 ,li],{C[h,i2,h, ^i]}iie{i,...,<i}, i 2 e{i,...,/i})- 

Finally, B defines mpk := (PP CO re 5 {CT[Z 2 , h]}i 2 ,h£{i,...,n}) an d sends it to the adversary A. 

When it comes to answer *4's private key queries for hierarchical identities (idi, . . . , id^), B first 
encodes each level's identity idj x G {0,1}^ as a ^-vector X ix = (id^ [1], . . . , id^ \p\) for each h G 
{1, . . . ,£}. Although B does not entirely know msk, the decryption components (D[/i], D^fZi], [h]) 
of the private key are always directly computable when l\ ^ k: namely, B chooses D^[/i] -G- G and 
DjJZi] G, for h = 1 to £, and computes 

1 

D[Zi] = H DijZap^i^'^^iN ■■D w {h}tM. 

It is easy to see that (D[Zi], D w , {D^ [Zi]}f =1 ) forms a decryption component of the form ©. 
Moreover, the delegation components can be obtained exactly in the same way. 
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As for the remaining coordinate l\ = k, the simulator B aborts if, for any 7 G {0, 1}, the 
obtained hierarchical vector {X\, . . . , Xg) is one for which (y^ , Xj x ) = for each i\ G {1, ...,£} 
(which translates into 

in the predicate encryption language). Otherwise, B can obtain the missing private key components 
by invoking its HPE challenger to obtain a complete private key SK( idlj = (SK/j, SK^l). 

It is easy to check that, if the HPE challenger's bit is f3 = 0, mpk is distributed as in Game 
-RLfc. In contrast, if f3 = 1, mpk has the same distribution as in Game RL^-i- 

□ 



Selective-id Security 

We consider our HF with /x = 2, E lD = {(l,x) : x G Z*} and IdSp = (Z| D ) ( - d) . We show that 
this HIB-LTDF is selective-id (n — logp, Impartially lossy. Let (id*, . . . , id*.*) G IdSp be the identity 
chosen by the adversary. Define the sibling LHF with AuxSp = Z^ and auxiliary input y^ 1 ) = 

[y^l-.-ly^] G I? p d where = 1) for any i x G {l,...,d*} and = (1,0) for i x G 

{d* + 1, . . . , d}. Selective security is established in the following theorem. 

Theorem 2. Let n > logp and let uj = n — \ogp. Let HF be the HIB-LTDF with parameters 
n,n = 2, Z"id = {(l,^) : x G Z*} and IdSp = (U\D)^- d ^ ■ Let LHF be the sibling associated with it as 
above. Let 5 = 1 and let A be a selective-id adversary. Then there exist algorithms B\ and B2 such 
that 

Adv 5-lossy ( ^ < n . ^ + y . Adv^-BDH!^ + g . A dv V ~ DDU2 (B 2 )) 

The running time of B\ and B2 are comparable to the running time of A. 

Proof. Let RLq and FiL n be the games specified above. We claim that Pr[REAL] = Pr[i?Lo] and 
I Pr[LOSSY] — Pr[i?L n ]| G negl(A), i.e the experiment will never halt outputting due to the 
queried id or id* except with negligible probability. This implies partial lossiness with 5 = 1. It 
is straightforward to see that the first equality is true since RLq generates parameters with the 
auxiliary input y(°) , which results in HF.Eval being an injective function for all hierarchical identities 
id G IdSp. 

To see the other equality, recall that RL n generates the parameters with the auxiliary input 
yW given above. Note that any identity id = (id 1 , . . . , id^) satisfies that (y-^idjj) = for all 
i\ G {1, . . . , d} if and only if id = id*. Further, the left-hand-side member of (113j) has a factor of the 
form 

JJ e(h[ii , 0, Zi] , -e) a[il] - ri i [il] - <!, 'i '^^i. 

il=l 

If id 7^ id*, with overwhelming probability, this factor is different from 1q t if and only if xi x 7^ 
and the function is injective. On the other hand, this factor vanishes if id = id*, which means that, 
for id = id*, the value (s, X) completely determines the whole ciphertext C. This gives at most p 
possible ciphertexts for 2 n inputs, which yields a lossiness A (HF.Eval(pms, mpk, (id*, . . . , id*.*), .)) > 
n — logp = uj. □ 
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Adaptive- id Security 

For adaptive security we consider our construction of HF with a restricted identity space, namely 
taking Sjd = {(l,x) : x € {0,1} M_1 }. We show that this construction is adaptive-id <5-lossy with 
5 = 1/ (2 • (2qfi) d ) where q is the maximum number of "Reveal-key" queries of the adversary. We 

define a sibling LHF with AuxSp = Zp d , where the auxiliary input y^ 1 ) = [y^| . . . |yi ] s for any %\ 
from 1 to d, is defined as 

y' h £{0,...,2q-l}, Z il £{0,...,n+1}, yg> [1] = y' h - 2^ h q, 
{yS i 1) [i]^{0,...,2g-l}}f =2 . 

Theorem 3. Let n > logp and let u) = n — log p. Let HF be the HIB-LTDF with parameters 
n,ii,ZJjD = {(l,x) : x € {0, l}^ 1 }, IdSp = Ujjf\ Let A be an adaptive-id adversary that makes 
a maximal number of q < p/(2/x) queries and let 5 = 1/ (2 • (2g/i) d ). Let LHF be the sibling with 
auxiliary input as above. Then, there are algorithms B\ and B2 such that 

Advi- lossy {A) < 2n ■ ((d • n + 1) ■ Adv p - BDHl (0i) + q ■ Adv p - DDH2 (£ 2 )), 

where the running time of B\ and B2 is that of A plus a 0(fi 3 ■ p~ 2 ■ In^fiqp)" 1 )) overhead, where 

p= (2 q y*Adv 5 - loss y(A). 

Proof. The difficulty of this proof is in relating the experiments RLq, RL n with the games REAL 
and LOSSY. This happens because the output d' of the adversary could be correlated with the 
fact that his queries cause the experiment to abort. For instance, we could have that the adversary 
perfectly distinguishes between REAL and LOSSY in game described in definition [21 but always 
queries for secret keys of lossy identities, while this would cause the experiments RLq, RL n to 
abort. To overcome this difficulty, we will use the technique of the artificial abort due to Waters 
with the improved analysis of |22j . 

We call E(IS, id*) the event that the experiment does not halt and outputs (cases a) and b) 
detailed at the beginning of the subsection) over the choice of Y = {y[, . . . , y' d , yi, . . . , y^, £i, . . . , 
and r/(IS, id*) = PrY [E(I S, id*)]. To use the artificial abort technique, in Lemma [8] below we show 
that 

= 2 • (2qpT ~ "V 3 ' " = KP ' 

The proof of this lemma is the main technical difficulty in translating the proof of Bellare et al. [7] 
to our setting. They use similar bounds, due to [22], but we had to extend them to the hierarchical 
case. 

Then, as in [7], we define the games RLq and RL n that differ from RLq and RL n respectively 
in that, before returning the final output, an artificial abort stage is added before outputting the 
bit d! of the adversary. Intuitively, this step destroys the (possible) existing correlation between 
the event that a set of secret key queries leads to an abort and the output d' . In this artificial 
abort stage, an approximation rj'(LS, id*) of rj(LS,id*) is computed. Then, if n'(LS, id*) > Xi ow the 
experiment halts and returns as output with probability 1 — Xi ow /r]'(IS,\d*). If the experiment 
doesn't abort, it returns the guess d' of the adversary. 

We can now use [22, Lemma 6.3], which states that if we use 0(/i 3 • p~ 2 • ln((/igp) -1 )) samples 
to compute the approximation 7/ (IS, id*), then 

^low PrfREAL] - Pt[RL ] < X lowP . 
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This implies Xi ow Pr[REAL] < Pt[RLq] + Xi ow p. Setting 5 = 1/(2- (2q[i) d ), we have the inequality 
5Pr[REAL] < X[ ow Pr[REAL] < Pt[RLq] + Xi ow p. We use the value of S instead of Xi ow since the latter 
depends on £*, the hierarchy length of the challenge identity (and thus depends on the challenge 
identity), while the former only depends on d, the maximum number of hierarchical levels of the 
scheme. 

Also, as in the selective case, we have Pr [LOSSY] = Pr[RL n ]. As RL n has the artificial abort, it 
will output with more probability than RL n . This implies that Pr [LOSSY] = Pi[RL n ] > Pi[RL n ]. 
Putting it all together we have that 

5Pr[REAL] - Pr [LOSSY] < Pr[RL ] - Prfft£ n ] + P^low- 

The left hand side to the equation is precisely Adv <5_lossy (^4). Using a modified version of Lemma [6] 
adding the artificial abort stage, we can see that the right hand side of the equation is lesser or equal 
thann-((d-/i+l)-Adv p - BDHl (Si)+g-Adv 7, - DDH2 (e 2 ))+pA; ow . Setting p = Adv 5 - loss y(A)/(2X low ) 
gives us the statement of the theorem. □ 

Lemma 8. X iow = 2 , (2q fc +1)) ** < "n(IS, id*) < j^pr = X up 

Proof. Fix the view of the adversary A, which implies fixing the queried identities id^ , . . . , \d^ q \ id*. 
Although we are assuming that the adversary A makes the maximum number of queries, with a 
smaller number of queries we would have the same bounds. We abbreviate rj = rj(IS, id*), y = y^ 1 ) 
and also call I* the depth of the challenge identity id*. For an integer t, define the event 

q / £« \ £* 

Ef- A V (H ( ?,yu> + mod t) A [\ ((id*,y n ) = mod t) 

i=l \i\ = l I ii=l 

We denote Y = {y[, . . . , y' d ,yi, . . . ,yd, £l, ■ ■ ■ , U}- For all i x £ {1, . . . , £*}, we have 

n 

(idu,yu) = y' h +^2y% 1 [k]\(ii l [k] - 2^ h q 

k=2 

for some < ^ < fi — 1. In particular, observe that 

< y' h + Yh M'du M < 2 W < P- 

k=2 

Let us define the value £,* := [(y'^ + ^] [k] id^ [fc])/2g] . If we have the two conditions 

k=2 

for each i x e {1,...,£*} 

(id* 1 ,yi 1 } = mod2g, 
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then clearly (id^y^) = mod p. Also, if (id^y^) / mod 2q, then we also have (id^y^) 7^ 
mod p . Using these observations, we have 

rj>Pr[£ h =t;i Vne{l,...,n]Pr[£p Vn € {1, . . . ,£*}] 

= ^ F P I [ Ep \C n =^ 1 Vne{l,...,n] 
>±;Vj[E 2q \t n =e tl VnG{l,...,^}] 

/i Y 

= -l r Pr[E 2g |^ 1 =C 1 VnG{l,...,f}] 

where Y' contains {y' 1; . . . , y^} and y' h = (y' h , [2], . . . , y i± [p]) for alH G {1, . . . , d}. Note that 
the second inequality above holds because of the condition ^ = £* . If we now define 7/2,7 = 
PiY'[E2 q | = d Vii G {1, . . . , •£*}], we just showed that 7/ > • rj2 q - Trivially, we also have the 
bound T]2 q > rj. 

Now, we observe some facts about (id^y^). First, observe that (id^y^) and (id^ , ) are 
independent for i\ 7^ This is because of the way Y is chosen. 

Also, note that for any id^, a£Z, PrY'[(idj 1 ,yj 1 ) = a mod 2q\ = l/2q. This is because for any 
choice of y^ [2], . . . , y^ [/j], there is only one value of y' ix for which the equality holds. 

Consider id = (idi, . . . , id^) / id' = (id' l5 . . . , id^/) and id not being a prefix of id' and a,i) 6 Z. 
First, if £ > £', for each i\ G {£' + !,...,£} such that idj x 7^ id^, we have 



e 

Pi^id^y^) = a mod 2q\ f\ (id' fc ,y fe ) = b mod 2q] 
^ k=i 

= Pr[(\d il ,y il ) = a mod 2q] = l/2q. 



e 

This happens because A (id' fc ,yfc) = b mod 2q does not impose any condition on (id^y^) and we 
k=l 

can apply the same arguments as previously. 

t' 

On the other hand, for all i\ < £' , PrY'[(idj 1 ,yi 1 ) = a mod 2q\ ^(id^yjt) = b mod 2q] is 

k=l 

either 0, if id^ = id^ or l/2q, if id^ 7^ id^. The second fact is because, if id^ 7^ id^, there exists an 
index j for which id^ [j] = 1 and id^ [j] = or the other way around. We see that, if we fix all y^ [i] 
for i 7^ j so that (id^ , y^ } = b mod 2q, then there is only one value for y^ [j] so that (id^ , y^ ) = a 
mod 2q. 

With all these observations, we calculate the following bound on i]2 q : 
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q ( 



A V (H^y*) ^ mod 2 <0 I A (K>yn) = mod 2 ?) 



=1 \u=l 



ii=l 



•Pr 

Y' 



A (K,Yn)=0 mod2g) 



ii=l 



V(2?)' ^ 



A 

i=i \«i=i 



A V (h?.^) ^ mod 2 ?) I A (K'yn) = mod 2 ?) 



ii=l 







1 - Pr 


v( 






V v ' 





il=l 



(16) 



>l/(2gf 1-^Pr 



i=i 



A (H ( f ,y n ) = mod 2^) | /\ «id*, yil ) = mod 2q) 



ii=l 



We now focus on how to bound 



Pr 
Y' 



A ((idj^yu) = mod 2g) | /\ ((id*,y n > = mod 2q) 



u=i 



To this end, we consider two cases: that £^ > t or < t . In the first case, for each 
h £ {£* + !,...,£&} such that 



Pr 
Y' 



(id l ( f,y il ) = mod 2q\ /\ ((id^,y fe ) = mod 2q) 



k=i 



= Pr 
Y' 



H ( ; ) ,y il )=0 mod2g = l/2q. 



For all indices i\ £ I*, the same probability is either 1 or l/(2q). 
If < for each h € {1, . . . we have 



Pr 
Y' 



H { f,y n } = mod 2^ /\ «id£,y fc ) =0 mod 2q) 



k=i 



Pr 
Y' 



(idg ) ,y il ) = mod2gj(id*,y n } = mod 2q 



which is 1 if id^ = id* and l/(2q) otherwise due to the fact stated above. 



Define xf = max(^« -t,0) and X f = #{ x < h < min(£*, £®)\\dV ^ id*}. Note that, by the 
restrictions imposed on id'- 1 -', we have Xi^ + xi^ — 1 f° r alH G {1, . . . , q}. Putting it all together, 
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we find 



Pr 
Y' 



ii=l 



/\ ((id^, yil ) = mod 2q) | /\ «id*,y n ) = mod 2q) 



ii=l 



< 



(2 g )xM J " (2g) 

We can conclude that 7725 > 1 / (2 e * +1 ) . For the upper bound on r/2 g , we have T]2 q < l/(2q) 1 , 
where we use that (1 — Pr [...])< 1 in (|16p . Combining these bounds with the bounds on 7/, we get 
the statement of the Lemma. □ 
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